gstreamer-plugins-good-1.24.10-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14578-1 Final 1 1 2024-12-13T00:00:00Z current 2024-12-13T00:00:00Z 2024-12-13T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z gstreamer-plugins-good-1.24.10-2.1 on GA media These are all security issues fixed in the gstreamer-plugins-good-1.24.10-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14578 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GZDF3P2GSSY47IWYHI5OBEEMZAKWSY3E/ E-Mail link for openSUSE-SU-2024:14578-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-47530/ SUSE CVE CVE-2024-47530 page https://www.suse.com/security/cve/CVE-2024-47537/ SUSE CVE CVE-2024-47537 page https://www.suse.com/security/cve/CVE-2024-47598/ SUSE CVE CVE-2024-47598 page https://www.suse.com/security/cve/CVE-2024-47599/ SUSE CVE CVE-2024-47599 page https://www.suse.com/security/cve/CVE-2024-47601/ SUSE CVE CVE-2024-47601 page https://www.suse.com/security/cve/CVE-2024-47606/ SUSE CVE CVE-2024-47606 page https://www.suse.com/security/cve/CVE-2024-47613/ SUSE CVE CVE-2024-47613 page https://www.suse.com/security/cve/CVE-2024-47774/ SUSE CVE CVE-2024-47774 page https://www.suse.com/security/cve/CVE-2024-47775/ SUSE CVE CVE-2024-47775 page openSUSE Tumbleweed gstreamer-plugins-good-1.24.10-2.1 gstreamer-plugins-good-32bit-1.24.10-2.1 gstreamer-plugins-good-extra-1.24.10-2.1 gstreamer-plugins-good-extra-32bit-1.24.10-2.1 gstreamer-plugins-good-gtk-1.24.10-2.1 gstreamer-plugins-good-jack-1.24.10-2.1 gstreamer-plugins-good-jack-32bit-1.24.10-2.1 gstreamer-plugins-good-lang-1.24.10-2.1 gstreamer-plugins-good-qtqml-1.24.10-2.1 gstreamer-plugins-good-qtqml6-1.24.10-2.1 gstreamer-plugins-good-1.24.10-2.1 as a component of openSUSE Tumbleweed gstreamer-plugins-good-32bit-1.24.10-2.1 as a component of openSUSE Tumbleweed gstreamer-plugins-good-extra-1.24.10-2.1 as a component of openSUSE Tumbleweed gstreamer-plugins-good-extra-32bit-1.24.10-2.1 as a component of openSUSE Tumbleweed gstreamer-plugins-good-gtk-1.24.10-2.1 as a component of openSUSE Tumbleweed gstreamer-plugins-good-jack-1.24.10-2.1 as a component of openSUSE Tumbleweed gstreamer-plugins-good-jack-32bit-1.24.10-2.1 as a component of openSUSE Tumbleweed gstreamer-plugins-good-lang-1.24.10-2.1 as a component of openSUSE Tumbleweed gstreamer-plugins-good-qtqml-1.24.10-2.1 as a component of openSUSE Tumbleweed gstreamer-plugins-good-qtqml6-1.24.10-2.1 as a component of openSUSE Tumbleweed Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89. CVE-2024-47530 openSUSE Tumbleweed:gstreamer-plugins-good-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-gtk-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-lang-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml6-1.24.10-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GZDF3P2GSSY47IWYHI5OBEEMZAKWSY3E/ https://www.suse.com/security/cve/CVE-2024-47530.html CVE-2024-47530 https://bugzilla.suse.com/1239347 SUSE Bug 1239347 GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10. CVE-2024-47537 openSUSE Tumbleweed:gstreamer-plugins-good-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-gtk-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-lang-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml6-1.24.10-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GZDF3P2GSSY47IWYHI5OBEEMZAKWSY3E/ https://www.suse.com/security/cve/CVE-2024-47537.html CVE-2024-47537 https://bugzilla.suse.com/1234414 SUSE Bug 1234414 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in the qtdemux_merge_sample_table function within qtdemux.c. The problem is that the size of the stts buffer isn't properly checked before reading stts_duration, allowing the program to read 4 bytes beyond the boundaries of stts->data. This vulnerability reads up to 4 bytes past the allocated bounds of the stts array. This vulnerability is fixed in 1.24.10. CVE-2024-47598 openSUSE Tumbleweed:gstreamer-plugins-good-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-gtk-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-lang-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml6-1.24.10-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GZDF3P2GSSY47IWYHI5OBEEMZAKWSY3E/ https://www.suse.com/security/cve/CVE-2024-47598.html CVE-2024-47598 https://bugzilla.suse.com/1234426 SUSE Bug 1234426 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_jpeg_dec_negotiate function in gstjpegdec.c. This function does not check for a NULL return value from gst_video_decoder_set_output_state. When this happens, dereferences of the outstate pointer will lead to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. CVE-2024-47599 openSUSE Tumbleweed:gstreamer-plugins-good-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-gtk-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-lang-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml6-1.24.10-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GZDF3P2GSSY47IWYHI5OBEEMZAKWSY3E/ https://www.suse.com/security/cve/CVE-2024-47599.html CVE-2024-47599 https://bugzilla.suse.com/1234427 SUSE Bug 1234427 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_parse_blockgroup_or_simpleblock function within matroska-demux.c. This function does not properly check the validity of the GstBuffer *sub pointer before performing dereferences. As a result, null pointer dereferences may occur. This vulnerability is fixed in 1.24.10. CVE-2024-47601 openSUSE Tumbleweed:gstreamer-plugins-good-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-gtk-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-lang-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml6-1.24.10-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GZDF3P2GSSY47IWYHI5OBEEMZAKWSY3E/ https://www.suse.com/security/cve/CVE-2024-47601.html CVE-2024-47601 https://bugzilla.suse.com/1234428 SUSE Bug 1234428 GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10. CVE-2024-47606 openSUSE Tumbleweed:gstreamer-plugins-good-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-gtk-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-lang-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml6-1.24.10-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GZDF3P2GSSY47IWYHI5OBEEMZAKWSY3E/ https://www.suse.com/security/cve/CVE-2024-47606.html CVE-2024-47606 https://bugzilla.suse.com/1234449 SUSE Bug 1234449 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in `gst_gdk_pixbuf_dec_flush` within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out_pix` as the destination address. `out_pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. CVE-2024-47613 openSUSE Tumbleweed:gstreamer-plugins-good-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-gtk-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-lang-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml6-1.24.10-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GZDF3P2GSSY47IWYHI5OBEEMZAKWSY3E/ https://www.suse.com/security/cve/CVE-2024-47613.html CVE-2024-47613 https://bugzilla.suse.com/1234447 SUSE Bug 1234447 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function reads the name_length value directly from the input file without checking it properly. Then, the a condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an OOB-read. This vulnerability is fixed in 1.24.10. CVE-2024-47774 openSUSE Tumbleweed:gstreamer-plugins-good-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-gtk-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-lang-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml6-1.24.10-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GZDF3P2GSSY47IWYHI5OBEEMZAKWSY3E/ https://www.suse.com/security/cve/CVE-2024-47774.html CVE-2024-47774 https://bugzilla.suse.com/1234446 SUSE Bug 1234446 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been found in the parse_ds64 function within gstwavparse.c. The parse_ds64 function does not check that the buffer buf contains sufficient data before attempting to read from it, doing multiple GST_READ_UINT32_LE operations without performing boundary checks. This can lead to an OOB-read when buf is smaller than expected. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10. CVE-2024-47775 openSUSE Tumbleweed:gstreamer-plugins-good-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-extra-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-gtk-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-jack-32bit-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-lang-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml-1.24.10-2.1 openSUSE Tumbleweed:gstreamer-plugins-good-qtqml6-1.24.10-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GZDF3P2GSSY47IWYHI5OBEEMZAKWSY3E/ https://www.suse.com/security/cve/CVE-2024-47775.html CVE-2024-47775 https://bugzilla.suse.com/1234434 SUSE Bug 1234434